U.S.

AGENCY FOR INTERNATIONAL DEVELOPMENT

RISK APPETITE STATEMENT – JUNE 2018
 TABLE OF CONTENTS

1. INTRODUCTION 3
1.1 Purpose 3
1.2 Background 3
1.3 Agency Objectives 4
1.4 Risk Categories 4
1.5 Risk Appetite Methodology 5
1.6 How to Use This Statement 6
2. OVERALL RISK APPETITE STATEMENT 6
3. PROGRAMMATIC RISK 8
4. FIDUCIARY RISK 10
5. REPUTATIONAL RISK 12
6. LEGAL RISK 14
7. SECURITY RISK 16
8. HUMAN-CAPITAL RISK 19
9. INFORMATION-TECHNOLOGY RISK 21

USAID.GOV USAID RISK APPETITE STATEMENT | 2

 USAID RISK APPETITE STATEMENT

1. INTRODUCTION

1.1 Purpose

The purpose of this Risk Appetite Statement (hereinafter “Statement”) is to provide U.S. Agency for
International Development (USAID) staff with broad-based guidance on the amount and type of risk the
Agency is willing to accept – based on an evaluation of opportunities and threats at a corporate level,
and in key risk categories – to achieve the Agency’s mission and objectives.

This Statement is a critical component in USAID’s overall effort to achieve effective Enterprise Risk
Management (ERM), and the leadership of the Agency will review and update it annually as the ERM
program matures and our needs evolve.

1.2 Background ERM AT USAID

In 2016, the Office of Management and Budget
(OMB) updated Circular A-123 to introduce a
new requirement that Federal Departments and
Agencies integrate ERM with their internal-
control systems. ERM is a holistic, Agency-wide
approach to risk-management that emphasizes
addressing the full spectrum of risks and managing
their combined impact as an interrelated risk
portfolio, rather than examining risks in silos,
which can sometimes provide distorted or
misleading views with respect to their ultimate
impact. Under an ERM approach, the goal is
not to control or avoid all risk, but rather
to take advantage of opportunities, while
reducing or mitigating threats to maximize
the Agency’s overall likelihood of achieving
its mission and objectives.
Achieving effective ERM is particularly important
at USAID. The Agency’s core mission and role in
support of U.S. foreign policy and national
security objectives requires that we work in a
wide variety of high-threat environments, with
risks ranging from state failure and armed
conflict in the most “fragile” contexts to
corruption, natural disaster and macroeconomic
instability in more “traditional” contexts. As a
result, there is rarely a single path to achieving
development results, and our staff is called upon
every day to make a range of cross-disciplinary,
risk-informed decisions about how best to
deliver foreign assistance. Despite these inherent
risks, we rise to this challenge using a variety of
risk-management techniques because the U.S.
Government has made a determination that the
risk of inaction, or inadequate action, outweighs
the risk of providing assistance.

USAID.GOV USAID RISK APPETITE STATEMENT | 3

1.3 Agency Objectives

OMB Circular A-123 states that an Agency’s objectives and the context in which it operates should
inform its risk appetite. On August 7, 2017, USAID Administrator Mark Green articulated the Agency’s
objectives as follows:

We will strive to: (1) end the need for foreign assistance. We must measure our work by how far each
investment moves us closer to the day when our relationship with the host country changes. In many cases,
this day will be far off, but will be a driving force in how we design programs to fit specific needs and
challenges on the ground. To that end, we will focus on (2) strengthening our core capacities and (3)
interagency coordination, while (4) empowering our employees and partners to lead. Finally, we will (5)
respect the taxpayers’ investments by being transparent and accountable stewards of the resources and
expectations given to us from the American people.

USAID’s Mission Statement encompasses these objectives:

On behalf of the American people, we promote and demonstrate democratic values abroad, and
advance a free, peaceful, and prosperous world. In support of America’s foreign policy, the U.S. Agency
for International Development leads the U.S. Government’s international development and disaster
assistance through partnerships and investments that save lives, reduce poverty, strengthen democratic
governance, and help people emerge from humanitarian crises and progress beyond assistance.

1.4 Risk Categories

Per OMB Circular A-123, “risk” is defined as the “effect of uncertainty on [an Agency’s] objectives.”
This definition is quite different than the everyday use of the word “risk”: it is not necessarily positive or
negative. Rather, it includes factors that could threaten or enhance the likelihood of achieving this set of
objectives. Using this neutral definition of risk that emphasizes the importance of a continual weighing of
cost and benefit, USAID defines the key categories of risk as follows:

● Programmatic Risks are events or circumstances that could potentially improve or undermine
the effectiveness of USAID’s development or humanitarian assistance.

● Fiduciary Risks are events or circumstances that could result in fraud, waste, loss, or the
unauthorized use of U.S. Government funds, property, or other assets. It also refers to conflicts
of interest that could adversely affect the accountability of U.S. taxpayer dollars, or the
realization of development or humanitarian outcomes.

● Reputational Risks are events or circumstances that could potentially improve or compromise
USAID’s standing or credibility with Congress, the interagency, the American public, host-
country governments, multilateral institutions, implementing partners, beneficiaries, or other
stakeholders.

USAID.GOV USAID RISK APPETITE STATEMENT | 4

 ● Legal Risks are events or circumstances that could potentially improve or compromise
compliance with law, regulation, Executive Order, or other source of legal requirement.

● Security Risks are events or circumstances that potentially improve or compromise the
security of USAID staff, partners, property, information, funding or facilities.

● Human-Capital Risks are events or circumstances that could potentially improve or

compromise the capacity, productivity, hiring, or retention of employees.

● Information-Technology Risks are events or circumstances that could potentially improve or

compromise the processing, security, stability, capacity, performance, or resilience of
information technology.

Encompassing all of these risks is the context in

which our programs operate. Context is often
outside our control, and has the potential to
materially impact the Agency’s ability to achieve
objectives in a given country. This Statement does
not assign a risk appetite rating for context.
However, since context can often increase the
likelihood that other types of risk might occur
(e.g., programmatic, security, fiduciary),
understanding context is often the starting point
for determining an operating unit’s approach to
risk-management. For example, while we
generally cannot mitigate the risk that a conflict
might occur, there are programmatic measures
we can implement to lessen the risk that such
circumstances affect the effectiveness of our
programs and operations.
NON-PERMISSIVE ENVIRONMENTS
Context impacts risk in every environment in which
we work, but is particularly important in so-called
“non-permissive environments” characterized by
uncertainty, instability, inaccessibility, and/or
insecurity where the associated risks are higher than
other environments. Such environments are also often
the places where development and humanitarian
assistance are most needed. Therefore, to achieve
our objectives, we often accept a higher degree of
overall risk to capture opportunities while
implementing enhanced measures to mitigate the
threat of not achieving our objectives.

1.5 Risk-Appetite Methodology

In Sections 2-9, this Statement places each category of risk on a risk-appetite scale that ranges from
“low” to “medium” to “high”:

● Low Risk Appetite – Areas in which the Agency avoids risk, or acts to minimize or eliminate
the likelihood that the risk will occur, because we have determined the potential downside costs
are intolerable. These are areas in which we typically seek to maintain a very strong control
environment.

● Medium Risk Appetite – Areas in which the Agency must constantly strike a balance between
the potential upside benefits and potential downside costs of a given decision.

USAID.GOV USAID RISK APPETITE STATEMENT | 5

 ● High Risk Appetite – Areas in which the Agency has a preference for disciplined risk-taking
because we have determined the potential upside benefits outweigh the potential costs.

1.6 How to Use this Statement

This Statement recognizes the reality that frontline staff at USAID is frequently called upon to make
difficult decisions under uncertain circumstances that require a weighing of “opportunities” and
“threats.” For example, our staff could see an “opportunity” to strengthen local ownership for long-
term sustainability as a “threat” that this same
investment could come at the expense of short-
term results, or could result in a larger pipeline. THE RISK PROFILE
This Risk Appetite Statement seeks to clarify the
Every USAID operating unit (OU) must prepare
Agency’s position regarding such (often
and submit an annual risk profile through the
competing) calculations through the risk appetite
Agency's ERM governance structure, as outlined
rating scale described in Section 1.5.
in OMB Circular A-123 and USAID
Operational Policy (ADS 596mab,
In addition to providing guidance on how to weigh
"Governance Charter for Enterprise Risk
opportunities and threats, this Statement informs
Management and Internal Control at
how we respond to such risk. Responding to risk
USAID"). These profiles provide a mechanism
can take many forms, including: avoidance of risk
to share information on the major risks that face
by not investing in a particular approach or not
OUs so leadership has visibility of, and can make
signing an agreement with a particular partner;
decisions about, risk across the Agency. In
reduction of risk through a strong system of
addition, these profiles provide a mechanism to
internal controls, targeted mitigation measures, or
ensure that the Agency at all levels makes risk-
training and capacity-building efforts, among other
informed decisions. Risks flagged in these profiles
options; sharing of risk through strategic
could include major risks that require additional
partnerships with key stakeholders; or acceptance
response, or “treatment,” to reduce the threat
of risk without mitigation.
of loss. Profiles could also include strategic risks
that OUs accept because they have determined
Descriptions of risk-management strategies used
that the opportunity exceeds the threat of loss.
across the Agency appear in each of the “We
In all cases, assessment of risk and associated
Will” boxes in Sections 3-9. USAID’s Risk
risk response should be guided by this Risk
Management Discussion Note (in Annex 1)
Appetite Statement.
also lists a range of tools the Agency uses to assist
in managing risk. Additional strategies for
managing risks will depend on a local assessment of the likelihood that an individual risk might occur, and
the impact that such risk could have if it occurs. For example, in countries affected by high levels of
corruption where the likelihood for fraud or diversion of funds is higher than average, we must
implement enhanced controls to further reduce the likelihood of loss. Conversely, in situations in which
an innovative approach is deemed more likely to be successful, or more likely to have a game-changing
impact, we are more likely to weigh the opportunity presented, and accept the risk.
2. OVERALL RISK APPETITE STATEMENT

USAID.GOV USAID RISK APPETITE STATEMENT | 6

The Agency’s risk appetite for each risk category is as follows:

RISK CATEGORY OVERALL RISK APPETITE

Programmatic HIGH

Fiduciary LOW

Reputational MEDIUM

Legal LOW

Security LOW

Human Capital MEDIUM

Information Technology MEDIUM

Note: While the Agency’s risk appetite is divided into separate categories, the categories are
interrelated. Additionally, each category contains varying risk appetites for specific areas of focus.
Sections 3-9 provide more nuanced guidance on the Agency’s risk appetite for each category.

USAID.GOV USAID RISK APPETITE STATEMENT | 7

3. PROGRAMMATIC RISK

Overall Risk Appetite: HIGH

Definition: “Programmatic Risk” refers to events or circumstances that could potentially improve or
compromise the effectiveness of USAID’s development or humanitarian assistance.

Overview: If we are going to achieve our long-term objective of ending the need for foreign assistance,
we must take smart and disciplined programmatic risks. We work in contexts that are often changing
rapidly, where – despite our best efforts – evidence to support program design is often incomplete, and
where there is rarely one path to achieving results. A further complication is that many of the locations
in which the Agency delivers foreign assistance are complex and non-permissive environments (NPEs),
in which we are required to navigate higher levels of contextual risk to make effective progress against
programmatic goals. In addition, the disciplines of development and humanitarian assistance continue to
evolve at a rapid pace, and there are huge opportunities that arise from ongoing innovations that can
enable us to achieve breakthrough results. We
recognize all of these opportunities and threats, WE WILL:
and are committed to making programmatic
decisions based on rigorous analysis, while  Make decisions based on analysis and
recognizing that it is often neither possible, nor conclusions supported by the best currently-
practical, to achieve the level of information we available evidence.
seek, and that the biggest risks of all are often the  Incorporate findings from risk-assessments,
price of inaction or inadequate action. such as the mandatory climate-change and
construction risk-assessments, in the design
We have a MEDIUM risk appetite with regard of programs.
to:  Collaborate with a diverse range of partners
to leverage innovative thinking that works in
● Implementing long-term strategic focus
the country context.
in our country programs. We will set
 Evaluate the impact of new approaches to
priorities and implement long-term strategic
continually build the Agency’s evidence base.
focus in our country programs based on
 Work with and through local partners to
rigorous analysis and collaboration with key
strengthen local capacity and support them
stakeholders to achieve more-effective
in their journeys to self-reliance.
results. We will also continually balance this
 Continually monitor, learn, and adapt as the
with our obligation to implement initiatives,
context changes and new evidence emerges.
directives and/or priorities from Congress
 Provide rigorous oversight of activities, and
and the interagency not foreseen during the
ensure we always operate in accordance
strategy development process.
with applicable laws and regulations.
We have a HIGH risk appetite with regard to:

USAID.GOV USAID RISK APPETITE STATEMENT | 8

● Harnessing new technologies and innovations. We will harness the potential of technology
and innovation to develop responses to some of the most-vexing challenges our Agency faces, while
recognizing that sometimes these approaches will fail to fulfill their promise.

● Promoting sustainability through local ownership and resource-mobilization. We will

support local ownership and financing, and strengthen the capacity of local organizations and
systems to enhance the sustainability of results and the ultimate goal of host country self-reliance,
while recognizing that sometimes these investments might be more resource-intensive, or come at
the cost of short-term results.

● Partnering with the private sector. We will co-design and co-invest with private-sector entities
that promise to leverage or mobilize additional resources or expertise to amplify the impact of our
work, while recognizing that sometimes such partners will fail to mobilize promised capital, or
deliver on commitments.

● Embracing flexible, iterative design and implementation. We will continually learn and
adapt our programming in contexts that are changing rapidly, or in which evidence is incomplete to
improve the likelihood of achieving intended results, while recognizing that such approaches can
sometimes require additional resources, or add another layer of complexity in designing,
implementing, and monitoring programs.

● Innovative modalities for acquisition and assistance. We will employ a broader range of
acquisition and assistance methods, such as those that enable co-creation, to achieve our
programmatic objectives more effectively, including by harnessing innovations, and partnering with
the private sector and local stakeholders.

USAID.GOV USAID RISK APPETITE STATEMENT | 9

4. FIDUCIARY RISK

Overall Risk Appetite: LOW

Definition: “Fiduciary Risk” refers to events or circumstances that could potentially result in fraud,
waste, loss, or unauthorized use of U.S. Government funds, property, or other assets. It also refers to
conflicts of interest that could adversely affect the accountability of U.S. taxpayer dollars, or the
realization of development or humanitarian outcomes.

Overview: We respect our role as a steward of the resources given to us by the American people, and
take a zero-tolerance approach toward fraud, corruption, or violation of law that involve U.S. taxpayer
funds. We also recognize that corruption, low absorptive capacity, and weak management capacity in the
country context can increase the Agency’s fiduciary risk, and that we must identify additional measures
as necessary to mitigate this risk. In addition, we acknowledge that there are times when minimizing
fiduciary risk by avoiding implementation modalities that use partner-country systems could come at the
cost of making progress toward our mission of ending the need for foreign assistance. We are thus
committed to striking a balance, in coordination with Congress, between our obligation to safeguard
U.S. taxpayer funds and our strategic objective to increase local capacity and ultimately transition
partner countries from our assistance.

We have a LOW risk appetite with regard to:

● Non-compliance with financial
reporting, payment mechanisms,
financial-systems requirements, internal
controls and audit-management. We will
continually act to address any weaknesses in
the control environment that could result in
fraud, corruption, diversion of resources, or
statutory violations.
● Violations of codes of conduct that
involve sexual exploitation or abuse and
expose partners or the Agency to
financial loss. We will hold our
implementers and our staff to the highest
possible ethical standards, and expect them to protect the interests of beneficiaries.
WE WILL:
 Implement rigorous safeguards against fraud,
corruption, or diversion of funds.
 Continually maintain, assess, and update our
systems of audit, risk-assessment, and
internal controls.
 Identify additional mitigation measures as
needed in the country context, such as
complementary anti-corruption
programming or enhanced controls.
 Implement smart measures that enable more
funding to flow through local partners.

We have a MEDIUM risk appetite with regard to:

USAID.GOV USAID RISK APPETITE STATEMENT | 10

● Implementing funding through local partners. We will implement more funding through local
partners, including (under the right conditions) host-country partner governments, to enhance the
sustainability of results and enable progress toward the ultimate goal of ending the need for our
assistance; however, we must balance this goal with an assessment of the potential for fraud,
corruption, or the diversion of funds.

USAID.GOV USAID RISK APPETITE STATEMENT | 11

5. REPUTATIONAL RISK

Overall Risk Appetite: MEDIUM

Definition: “Reputational Risk” refers to events or circumstances that could potentially improve or
compromise USAID’s standing or credibility with Congress, the interagency, the American public, host-
country governments, multilateral institutions, implementing partners, beneficiaries, or other
stakeholders.

Overview: Our reputation among key stakeholders has a profound and direct impact on our capacity
to achieve our mission. It affects everything from the budget and authorities granted to us by Congress
to the degree of influence we wield as we work to facilitate greater ownership of development
processes by local partners, including host-country governments. Reputational risk includes risks that
arise from our actual contributions and value, or decisions not to contribute, as well as risks that stem
from perceptions and misperceptions of our contributions and value. We are therefore committed to
protecting the reputation of the Agency by not only implementing effective ERM in everything we do,
but also by effectively engaging and communicating with our stakeholders toward achieving our mission.

We have a LOW risk appetite with regard to:

● Deficiencies in enforcement of ethical
standards. We will hold our staff and
partners to the highest level of ethical and
professional standards, and address any
weaknesses in enforcement of rules of ethical
professional conduct, including with regard to
sexual exploitation and abuse.
● Deficiencies in Congressional
consultation and notification. We will
address any weaknesses in processes,
procedures, knowledge, or gaps in either
required or appropriate consultation and
notification to Congress and other U.S.
Government Departments and Agencies. This
applies to proposed and actual budgetary,
management, programmatic, and other actions that could pose a legal and reputational risk to the
Agency, or otherwise compromise our adherence to the law and our relations and understandings
with Congress and the interagency.
WE WILL:
 Maintain an open, transparent relationship
with key stakeholders.
 Continue to publish USAID data while
safeguarding Personally Identifiable
Information (PII) and security.
 Appropriately and consistently brand and
mark USAID-funded activities.
 Dedicate time and resources to managing
and monitoring social media channels that
are used.
 Train staff to be everyday ambassadors for
our work, and ensure the highest levels of
ethical conduct.

USAID.GOV USAID RISK APPETITE STATEMENT | 12

We have a MEDIUM risk appetite with regard to:

● Traditional press outreach and social media. We will leverage outreach through traditional
press and social media to promote and amplify the goals and results of the Agency. However, we
must balance this outreach with the risks inherent in these activities, such as messages re-posted by
outside groups or taken out of context.

We have a HIGH risk appetite with regard to:

● Empowering our employees to represent the Agency. We will empower our employees
with the necessary skills and ability to represent USAID effectively.

● Sharing and increasing the transparency of technical and programmatic information.

Through our Open-Data policy, we encourage employees and partners to share technical and
programmatic information to demonstrate the Agency’s commitment to transparency, consistent
with applicable legal requirements, while balancing the risk of publishing data that could trigger
privacy and security concerns. We recognize that this commitment to transparency also includes
accepting the risk of possible criticism brought because data show our activities fall short of their
objectives.

● Promoting a culture of learning. We will incentivize and foster a culture of learning by openly
discussing and disseminating lessons learned to enable continuous improvement and enhance our
credibility. This will mean at times identifying mistakes or errors that could affect our reputation.

USAID.GOV USAID RISK APPETITE STATEMENT | 13

6. LEGAL RISK

Overall Risk Appetite: LOW

Definition: “Legal Risk” refers to events or circumstances that could potentially improve or
compromise compliance with law, regulation, Executive Order, or other legal requirement.

Overview: To be accountable stewards of the resources and expectations given to us from the
American people, we must operate in accordance with all applicable laws, regulations, Executive Orders,
and other legal requirements. We recognize that the need to comply with legal requirements is inherent
in all aspects of our activities, and we are committed to seeking appropriate legal review of our actions
to facilitate this compliance. We are obligated to maintain a strong control system that promotes
compliance with legal requirements, and uses Agency attorneys as both a safeguard against unlawful
actions and a resource for informed decision-making.

We have a LOW risk appetite with regard to:

WE WILL:
● Non-compliance with legal and
regulatory requirements. We will mitigate  Deploy training, guidance, and control
any weaknesses in processes, procedures, or systems to foster Agency-wide compliance
gaps in staff knowledge that could result in with legal requirements.
legal risk to the Agency, or otherwise  Monitor changes to applicable legal
compromise our adherence to the law. requirements, and communicate
modifications to the Agency.
● Acting without consultation with  Consult with Agency attorneys as
Agency attorneys. We will consult with appropriate to evaluate, quantify, and
Agency attorneys to mitigate the potential for mitigate legal risks.
misinterpretation of legal requirements that  Take consistent legal positions that are
could result in a loss to the Agency, or supported by the law, represent the best
compromise our adherence to the law. interests of the American people, and
● Meritorious bid protests or labor, advance Agency objectives.
employment, or contract claims. We will
mitigate any deficiencies in processes or procedures that could increase the likelihood of a sustained
bid protest or meritorious labor, employment, or contract claim.

USAID.GOV USAID RISK APPETITE STATEMENT | 14

We have a MEDIUM risk appetite with regard to:

● Areas either not covered by the law or reasonably open to interpretation. In consultation
with Agency attorneys, we will at times assume a degree of calculated risk to implement innovative
solutions that could help achieve our strategic objectives.

USAID.GOV USAID RISK APPETITE STATEMENT | 15

7. SECURITY RISK

Overall Risk Appetite: LOW

Definition: “Security Risk” refers to circumstances or events that could potentially improve or
compromise the security of USAID staff, partners, information, funding or facilities.

Overview: Safeguarding our personnel, partner

organizations, information, and facilities is critical
to delivering on our mission, yet presents one of
our biggest risk-management challenges. USAID’s
work increasingly takes place in high-threat, NPEs
characterized by conflict, government instability,
and natural disasters, and the obligation to keep
personnel and other assets safe must be balanced
with the need to visit project sites, meet with
local contacts, consult with partners, access
information, and implement activities. We are
continually working on strategies that reflect this
reality, and we are committed to leveraging new
technologies, partnerships, flexibilities, and
innovative thinking to protect our personnel and
assets, while also delivering needed assistance. 1
We have a LOW risk appetite with regard to:
● Actions that put our personnel in
positions of unnecessary risk. We will
avoid actions that could put USAID personnel
at risk of physical harm when and where
reasonable alternatives exist.
● Violations of information-security
WE WILL:
 Continually strengthen controls surrounding
the collection, processing and storing of vital
personal and national security-related
information.
 Provide staff with regular trainings and travel
briefings (e.g., the Know-Before-You-Go
briefing) so that they appropriately respond
to various security threats.
 Continually strengthen the Partner Liaison
Security Operation program in countries
where partners are at elevated risk.
 Leverage highly-qualified local staff, partners,
and innovative technologies to monitor
programs in high-threat places where
mobility is restricted.
 Conduct partner vetting using a risk-based
approach to mitigate the risk of diversion of
funds to terrorists or their affiliates.
 Continue to engage with the State
Department’s Bureau of Diplomatic Security,
including Regional Security Officers, to
maximize our ability to conduct robust
oversight in NPEs, while safeguarding
personal security.

1
It is important to note that USAID’s staff assigned overseas fall under Chief of Mission (COM) authority, and
therefore risk-management approaches are affected by the Overseas Security Policy Board security standards, the
Regional Security Office, and USAID's participation in Emergency Action Committees chaired by each Chief of
Mission.

USAID.GOV USAID RISK APPETITE STATEMENT | 16

 policies and procedures. We will minimize any weaknesses in our training protocols or policies
and procedures that could result in the unauthorized disclosure of sensitive data, such as PII and
national-security information.

● Compliance with nationally-established standards for Federal employment and security

clearances. We will address any weaknesses in compliance with standards for Federal employment
and security clearances that could compromise the Agency’s ability to recruit and retain qualified
personnel who have unwavering loyalty to the United States as well as integrity and sound
judgement.

We have a MEDIUM risk appetite in regard to:

● Maintaining presence in non-permissive environments (NPEs). We will maintain missions
or field offices in NPEs as long as we balance the likelihood for security breaches and/or need to
suddenly evacuate staff or allocate additional security resources with the NPE’s impact on U.S.
foreign-policy and national-security objectives.

● Programming in a transparent manner in closed spaces. 2 We will operate with as much

transparency as possible in closed (or closing) spaces, while balancing the imperative to protect
partners and beneficiaries who could face significant risks from association with the United States.

● Undertaking mission-critical field visits. We will support staff in undertaking field visits
coordinated and approved in accordance with Post management policies and Regional Security
Officers (RSOs) for the purposes of designing programs, monitoring implementation, or providing
oversight (among other mission-critical purposes). However, we must balance this desire with the
discretion of the RSO, the likelihood of security incidents, and the availability of effective
alternatives, including those that deploy new technology.

● Providing distinguished visitors with expedited access to USAID’s domestic facilities to

strengthen partnerships and program results. We will accord special privileges to
distinguished visitors, such as foreign diplomats, in recognition of their importance to achieving
country self-reliance and other Agency objectives, as long as we mitigate the potential for security
incidents responsibly.

We have a HIGH risk appetite with regard to:

● Exploring, testing, or using new security methods or technologies. We will harness the
potential of new methods and technologies to reduce exposure to threats, or increase the
preparedness of employees, while recognizing that sometimes such approaches might not always be
as effective as anticipated.

● Supporting partners’ development of their security plans. We will require partners to

2
“Closed spaces” refers to country settings that meet the following criteria: 1) the government in the targeted
country is politically repressive; 2) the government has explicitly rejected USAID assistance or has such an adverse
relationship with the United States that we cannot work with the government on development assistance; and 3)
USAID does not have U.S. Direct-Hire staff in the country.

USAID.GOV USAID RISK APPETITE STATEMENT | 17

 develop their security plans in accordance with our rules and parameters, while recognizing that
sometimes the lack of standardization could complicate coordination, or heighten the possibility for
weaknesses.

USAID.GOV USAID RISK APPETITE STATEMENT | 18

8. HUMAN-CAPITAL RISK

Overall Risk Appetite: MEDIUM

Definition: “Human-Capital Risk” refers to events or circumstances that could potentially improve or
compromise the capacity, productivity, wellbeing, hiring, or retention of our employees.

Overview: Our success in achieving our mission directly depends on the knowledge, skills, abilities,
dedication, and robustness of our workforce. We recognize that our workforce is our most-important
asset for managing risk – through designing and implementing control systems; making iterative, risk-
informed decisions; skillfully solving problems; coping under pressure; and going the extra mile to ensure
our Agency’s success. However, our workforce can also be a cause of risk, because of skill gaps,
turnover and excessive workload, as well as non-compliance with, or the inconsistent application of,
systems, procedures, and risk-mitigation measures. Our Agency delivers on its mission because of the
capabilities and performance of our talented staff, and is committed to effectively managing the needs of
our current and future workforce. Aligning
workforce-planning with the Agency’s
Transformation is essential to ensuring the WE WILL:
success of both.  Mitigate stress and resilience issues that
affect personnel in high-operational-stress
We have a LOW risk appetite with regard to: environments through Staff Care and other
● Non-compliance with human-resource services.
laws, regulations, and directives. We will  Implement agile, transparent processes to
act to minimize any weaknesses in compliance attract and onboard employees.
with legal requirements (e.g., from the Equal  Execute strategic, forward-looking and
Employment Opportunity Commission, the flexible workforce-planning processes.
Office of Personnel and Management, and the  Empower managers with the skills and
U.S. Merit Systems Protection Board) that support they need to manage staff
could impair the Agency’s ability to hire, train, effectively.
assess, or reward USAID employees  Uphold a transparent, equitable
consistently and fairly, or which could put the performance-management system that
Agency at risk for unfavorable legal outcomes. promotes excellence.
 Provide high-quality, integrated, and
● Weaknesses in workforce-planning coordinated training and mentoring to build
systems across all hiring categories. We capacity and support rising leaders.
will mitigate any weaknesses in workforce-  Support the professional development of our
planning systems that could undermine the Foreign Service Nationals to better leverage
their expertise and historical knowledge.

USAID.GOV USAID RISK APPETITE STATEMENT | 19

 Agency’s ability to align its current needs and priorities with its workforce under the
Transformation and ensure it will have the essential staff levels and skill mixes needed to carry out
future programs amidst an uncertain environment.

● Gaps in skills and capacity. We will work to mitigate any deficiencies in training programs that
could impair the effectiveness of our employees.

● Weaknesses in the processes for recruiting, selecting, hiring, onboarding, evaluating,

and promoting staff. We will work to minimize weaknesses in hiring processes that could inhibit
the Agency’s agility and responsiveness, cause frustration among candidates, or result in the
Agency’s losing highly-qualified candidates. We will also work to reward excellence, deal swiftly and
appropriately with poor performance, and create rigorous processes for evaluating the performance
of, and promoting, employees.

● Bullying, abuse and sexual harassment in the workplace. We will continue to enforce a
zero-tolerance approach to abusive and harassing behavior among our staff, whether in Washington
or in the field.

We have a MEDIUM risk appetite with regard to:

● Prioritizing family needs when assigning Foreign Service Officers (FSOs) to posts. We
will make reasonable efforts to assign FSOs to posts that meet family needs, while balancing the
Agency’s mandate to meet the varied needs of different OUs and the equities of other personnel.
● Assigning FSOs to hardship posts and other difficult operating environments. We are
obliged to assign many FSOs to hardship countries and other posts with difficult operating
environments to achieve our mission, while continually balancing these assignments with the
potential for severe and unsustainable levels of stress that might arise from exposure to threats,
unprecedented workloads, separations from family, and inadequate rest.

We have a HIGH risk appetite with regard to:

● Adopting innovative best practices. We will continually assess best practices in the industry
and Federal Government for attracting, retaining, and developing talent, including seeking flexibilities
for hiring and compensating staff, while recognizing that trying new approaches brings with it the
potential for initiatives to fall short of objectives.

USAID.GOV USAID RISK APPETITE STATEMENT | 20

9. INFORMATION-TECHNOLOGY RISK

Overall Risk Appetite: MEDIUM

Definition: “Information-Technology (IT) Risk” refers to events or circumstances that could improve
or compromise the processing, security, stability, capacity, performance, or resilience of information
technology.

Overview: IT is interwoven into all aspects of our operations, and is among the most vital investments
supporting the Agency’s work. The IT landscape continues to evolve at a rapid pace, and technological
advances provide opportunities for USAID to operate more efficiently and effectively. At the same time,
cyber threats continue to grow in aggressiveness and sophistication, as the Agency’s need to share and
use information grows. We recognize the important role that IT plays in supporting our mission, and are
committed to delivering robust, responsive, and flexible IT services and products, while protecting
information and information systems from security threats.

We have a LOW risk appetite with regard to:

● Weaknesses in technology, and the
transmission, processing, security,
stability, capacity, or performance of
data. We will act to minimize any
weaknesses that could disrupt core Agency
business operations, slow productivity,
heighten the risk of fraud, or threaten the
security of information, such as PII. We will
work to avoid unplanned downtime that
could result in lost productivity or costs to
recover data.
WE WILL:
 Proactively manage cybersecurity risks by
continuously identifying and mitigating
malware and other intrusion events.
 Ensure a cutting-edge approach to
implementing change and staying ahead of
the curve.
 Take an agile approach to fixing or patching
vulnerabilities as they are identified.
 Champion leadership for modernization
efforts from the top.

We have a MEDIUM risk appetite with regard to:

● Open data. We will reduce barriers to sharing Agency-funded data to make information more
transparent and accessible to the public, while balancing the risk of publishing data that could trigger
privacy and security concerns.

USAID.GOV USAID RISK APPETITE STATEMENT | 21

● Cloud computing. We will continue to harness the power of cloud computing to lower costs,
improve reliability, and increase accessibility across the globe, while balancing the risks associated
with working with third-party service providers.

We have a HIGH risk appetite with regard to:

● Adoption of new technologies or platforms. We will harness the potential of new
technologies to improve Agency efficiency and productivity, while recognizing the potential for
change-management challenges, time or cost overruns, and the need to harmonize digital innovation
with programmatic policy.

USAID.GOV USAID RISK APPETITE STATEMENT | 22